HOTPVerify()

Verifies a counter-based One-Time Password (HOTP) against a secret and expected counter value.

Supports a window parameter to handle counter desync when users generate codes without submitting them.

Requires Extension: Crypto Extension


	HOTPVerify( secret=string, code=string, counter=numeric, options=struct );

Returns: Boolean

Argument	Description
secret _{string, required}	edit Base32-encoded secret
code _{string, required}	edit The HOTP code to verify
counter _{numeric, required}	edit Expected counter value
options _{struct, optional}	edit Optional struct: window (default 0 — exact match), digits (default 6), algorithm (SHA1\|SHA256\|SHA512, default SHA1)

Usage Notes

edit

After a successful verification, always increment the server-side counter to prevent code reuse. The window parameter checks a range of counter values ahead of the expected counter to handle cases where the user generated codes without submitting them (counter desync).

Examples

edit

// Verify an HOTP code against a secret and expected counter value
secret = TOTPSecret();
code = HOTPGenerate( secret, 5 );

// Verify at the exact counter
isValid = HOTPVerify( secret, code, 5 ); // true
isWrong = HOTPVerify( secret, code, 6 ); // false - wrong counter

// Use a window to handle counter desync (e.g. user requested a code but didn't submit it)
// window=5 checks counter values 3 through 8
isValid = HOTPVerify( secret, code, 3, { window: 5 } ); // true - counter 5 is within window

// In a real app, increment the server counter after each successful verification
// to prevent code reuse

HOTPVerify()

Usage Notes

Examples

See also